After restoring SCCM from old x86 server to new x64 server I cannot install clients.
Current version is SCCM 2007 SP2 without R2. SCCM is in mixed mode, SCCM was installed to SAME path, was successfully restored from backup using "ConfigMgr Site Repair Wizard".
But new clients cannot be installed now.

The following is in ccm.log:

"---> Warning: no remote client installation account found  $$<SMS_CLIENT_CONFIG_MANAGER><Date Time Russian Standard Time><thread=3936 (0xF60)>
---> Attempting to connect to administrative share '\\computername\admin$' using machine account.~  $$<SMS_CLIENT_CONFIG_MANAGER><Date Time Russian Standard Time><thread=3936 (0xF60)>
---> Failed to connect to \\computername\admin$ using machine account (1203)  $$<SMS_CLIENT_CONFIG_MANAGER><Date Time Russian Standard Time><thread=2900 (0xB54)>"

Account used for push install presents in "Domain Admins" group and can reach this share from SCCM server using explorer or file manager.
Firewall service is stopped and disabled on target computers.

Searching through logs I was confused by this: "Warning: no remote client installation account found". It's impossible because account is present and set coreectly both in "client push installation" and "computer client agent". Account was cleared and set again but warning is the same.

At last I found the problem. In the beginning of SMS_CLIENT_CONFIG_MANAGER initialization there is a string in the ccm.log:

"~WARNING: failed to encrypt account domain\account  $$<SMS_CLIENT_CONFIG_MANAGER><Date Time Russian Standard Time><thread=2656 (0xA60)>"

I think that's the source of trouble. But I can't find the reason.

By the way, the same message is in policypv.log:

"~failed to encrypt network access accountdomain\account  $$<SMS_POLICY_PROVIDER><Date Time Russian Standard Time><thread=3720 (0xE88)>"

It's exactly so in log, without space between "account" word and "domain\account"!

Any domain account I try to add for push installation appears in these logs with the same encrypt error!

Can anyone help please?
Thanks a lot!

Hi Mikhail,

Your personal domain admin account may be able to get to admin$, but that doesn't mean that your primary site server's account can. Make sure that your primary site server's Active Directory computer account is in the Domain Admins group. If you had to add it, reboot the primary site server so that new group membership is valid. If you use an installation account instead of relying on the primary site server's computer account, confirm that account is either nested in Domain Admins, or that account is somehow nested in each computers' local Administrators group.

Thanks for reply, Eric.

You're right, adding SCCM computer account to the Domain Admins group solves the problem.
But I'm afraid this method removes consequences of problem but the cause of problem still remains.

The problem is in "failed to encrypt account domain\account" message in ccm.log. As a result SMS_CLIENT_CONFIG_MANAGER component cannot use specified account for client push installation and forced to use machine account.
As I said before, we have restored config from old SCCM installation to new x64 OS. But old SCCM server worked perfectly with user domain account and without membership in the Domain Admins group.

So question is - what does "failed to encrypt account domain\account" message mean?
Can it be effect of restoring SCCM config to new OS installation?

If I were you I would also want to know why you are getting that message nut as an FYI... I never use a client push account, it's just one more password to have to deal with. I have a GPO that adds a group which contains all my SCCM servers to the local admins group on all my computers. This works for all but domain controllers. For those either manually install the client or add the sccm servers to domain admins. I just try to avoid using domain admins as much as possible.

I agree with John: there is no reason to use the Domain Admins group for anything at all when designing your ConfigMgr infrastructure. That's not to say you can't do so and function perfectly fine. It's just that at most companies that requirement might be labeled a security risk--so it's not necessary to allow for successful functioning of ConfigMgr.

If that's working for you (domain admins), and your Security team doesn't have a problem with that, fine. But you can use a different group (as John Marcum mentioned) to nest in the configmgr servers into clients' local Administrators groups as well. (assuming, of course, that you even need to use client push, this is going way off topic, but client push doesn't have to be used either... many companies function just fine without that as well)

After restoring SCCM from old x86 server to new x64 server I cannot install clients.
Current version is SCCM 2007 SP2 without R2. SCCM is in mixed mode, SCCM was installed to SAME path, was successfully restored from backup using "ConfigMgr Site Repair Wizard".
But new clients cannot be installed now.

The following is in ccm.log:

"---> Warning: no remote client installation account found  $$<SMS_CLIENT_CONFIG_MANAGER><Date Time Russian Standard Time><thread=3936 (0xF60)>
---> Attempting to connect to administrative share '\\computername\admin$' using machine account.~  $$<SMS_CLIENT_CONFIG_MANAGER><Date Time Russian Standard Time><thread=3936 (0xF60)>
---> Failed to connect to \\computername\admin$ using machine account (1203)  $$<SMS_CLIENT_CONFIG_MANAGER><Date Time Russian Standard Time><thread=2900 (0xB54)>"

We're having the EXACT same problem after our migration today from x86 --> x64. Please tell me you've found a solution. We're ready to revert to a snapshot tomorrow if we can't figure this out.

Did you keep the same servername?

Open a command prompt as local system and try to connect to \\computername\admin$ on one of the failing clients.


here's a couple guides on opening a command prompt as local system:

http://hinchley.net/2009/10/12/how-to-open-a-command-prompt-under-the-context-of-the-local-system-account


http://community.landesk.com/support/docs/DOC-2316

We're not using the SCCM system account to push clients. We're using a separate domain account that has admin privs on all client workstation. The problem persists this morning -

WARNING: failed to encrypt account domain\account

We're going to try 32bit 2008 instead of R2 later today.

Did anyone ever figure this out? I'm going through the same thing.

Not supported but...remove the account from the console,  check the Site Control file to see if you still have the name listed in there.  Delete it from there and save the file.  Also just open and save the control file.  (BACKUP FIRST!!)  This correct it for me.  As a work around while I did this I just create a new push account and used that to get around the problem quickly.

Hi,

for security reasons and since we can't use the Domain admin all the time I just simply created a security group and added to it the sccm account and server name and than created a group policy for that to push this group into local administrators group for all computers.

worked just fine

• Proposed as answer by Elie Salameh 19 hours 6 minutes ago

Hi,

for security reasons and since we can't use the Domain admin all the time I just simply created a security group and added to it the sccm account and server name and than created a group policy for that to push this group into local administrators group for all computers.

worked just fine

• Proposed as answer by Elie Salameh Wednesday, March 18, 2015 12:27 PM

Hi,

for security reasons and since we can't use the Domain admin all the time I just simply created a security group and added to it the sccm account and server name and than created a group policy for that to push this group into local administrators group for all computers.

worked just fine

• Proposed as answer by Elie Salameh Wednesday, March 18, 2015 12:27 PM